Page1of7

Theattackhashitus!Nowwhat?ApplyingITDisasterRecovery/BusinessContinuityPreparation

DuringthedevelopmentofSecurityPoliciesforanorganizationthatwasatthebeginningofajourneytowardssafeguardingtheirown(andtheircustomer's)data,wewereneveraskedthemostobviousquestion:Whatifadisasterstrikesandwehavetogothroughthis?Everyonewassoconcentratedondeterminingtheinput,thattheobviousthoughtdidnotappear:Whatdowereallydowhendisasterstrikesinparticular?Allgoodandwellhavingagreatpolicy,butweneedtogetcrackingatimplementingtechnicalsolutionsthathelpusactwhentheunthinkablereallyoccurs.Basedonthepolicy,strategiestoactinaccordancetothepoliciesemerge.Andsometimes,likeinthiscase,newsolutionstoissuesathandarediscovered.

source:CarnegieMellon1

Page2of7

ABusinessContinuityPlanorBCPishowanorganizationguardsagainstfuturedisastersthatcouldendangeritslong-termhealthortheaccomplishmentofitsprimarymission.TheprimaryobjectiveofaDisasterRecoveryplan(a.k.a.BusinessContinuityplan)isthedescriptionofhowanorganizationhastodealwithpotentialnaturalorhuman-induceddisasters.Thedisasterrecoveryplanstepsthateveryenterpriseincorporatesaspartofbusinessmanagementincludestheguidelinesandprocedurestobeundertakentoeffectivelyrespondtoandrecoverfromdisasterrecoveryscenarios,whichadverselyimpactsinformationsystemsandbusinessoperations.Planstepsthatarewell-constructedandimplementedwillenableorganizationstominimizetheeffectsofthedisasterandresumemission-criticalfunctionsquickly.2AccordingtoNIST,TheDRPonlyaddressesinformationsystemdisruptionsthatrequirerelocation3.(Source:NIST).Forourshortanalysis,wewilltreatthetwotermsasmeaningthesame–itisnotquitenecessary(orpossible)toinvestinanalternativelocationlikeacontainerdata-centerinallcases.BusinessesshoulddevelopanITdisasterrecoveryplan.Itbeginsbycompilinganinventoryofhardware(e.g.servers,desktops,laptopsandwirelessdevices),softwareapplicationsanddata.Unfortunately,inventoriesposeanissuemoreoftenthannot.Havingacompleteandup-to-dateassetlistisnotsupportedinthewayneededanddesiredforadisasterrecoveryplan.Mosttoolsonthemarketsupportonlyalimitednumberofoperatingsystems,andnon-smartassetsareatediousmanualworkload.ThetoolsetR&Poffersunderpinningourfield-provenmanaged/militaryprojectoffice,isoperatingsystemagnosticandprovidesreal-timeinformationbackonHW-assets,SW-assets(alloperatingsystems),firmware-assets,BIOS/EFI,router/switch-configs,printer-queue/print-serverconfigurationandbywayofthenewestaddition,alsoprovidesaccesstofirmwareversionsofdisplaysandfurthernon-smartassets.Fromthisinventory,itisfairlyeasytoidentifycriticalsoftwareapplicationsanddataandthehardwarerequiredtorunthem.Usingstandardizedhardwarewillhelptoreplicateandreimagenewhardware.Ensurethatcopiesofprogramsoftwareareavailabletoenablere-installationonreplacementequipment.Prioritizehardwareandsoftwarerestoration4.(Source:HLSUS)

PhasesofbuildingaBC-orDRPlanPhaseI–DataCollection

-theprojectshouldbeorganizedwithtimeline,resources,andexpectedoutput-thebusinessimpactanalysisshouldbeconductedatregularintervals-ariskassessmentshouldbeconductedregularly-OnsiteandOffsiteBackupandRecoveryproceduresshouldbereviewedregardingsuitabilityandperformance

-Alternatesitelocations(ifany)mustbeselectedandreadyforuse

Page3of7

PhaseII–PlanDevelopmentandTesting-developmenttheDisasterRecoveryPlan(DRP)-Testtheplan(regularly)PhaseIII–MonitoringandMaintenance-Maintenanceoftheplanbywayofupdatesandregularreviews-PeriodicinspectionorauditofDRP-DocumentationofanychangesThereis–ofcourse–needtointroducetostaffanynecessaryinformationabouttheplansandtrainthemonit,otherwise,staffcannotobligetotherulesonceacriticalsituationhits.

DisasterRecoveryPlanCriteriaAdocumentationoftheproceduresastodeclaringemergency,evacuationofsitepertainingtonatureofdisaster,activebackup,notificationoftherelatedofficials/DRteam/staff,notificationofprocedurestobefollowedwhendisasterbreaksout,alternatelocationspecifications,shouldallbemaintained.ItisbeneficialtobepreparedinadvancewithsampleDRPsanddisasterrecoveryexamplessothateveryindividualinanorganizationarebettereducatedonthebasics.AworkablebusinesscontinuityplanningtemplateorscenarioplansareavailablewithmostIT-basedorganizationstotrainemployeeswiththeprocedurestobecarriedoutintheeventofacatastropheoccurring5.RecoverystrategiesshouldbedevelopedforInformationtechnology(IT)systems,applicationsanddata.Thisincludesnetworks,servers,desktops,laptops,wirelessdevices,dataandconnectivity.PrioritiesforITrecoveryshouldbeconsistentwiththeprioritiesforrecoveryofbusinessfunctionsandprocesses6.(Source:HLSUS)Downtimecanbeidentifiedinseveralways7(SourceNIST):

Page4of7

Cost-BenefitThelongeradisruptionisallowedtocontinue,themorecostlyitcanbecometotheorganizationanditsoperations.Conversely,theshorterthereturntimetooperations,themoreexpensivetherecoverysolutionscosttoimplement8.(NotethatR&Pexcelincost-reductionofsystemsrecovery)

ITRecoveryStrategies

Page5of7

Informationtechnologysystemsrequirehardware,software,dataandconnectivity.Withoutonecomponentofthe“system,”thesystemmaynotrun.Therefore,recoverystrategiesshouldbedevelopedtoanticipatethelossofoneormoreofthefollowingsystemcomponents:-Computerroomenvironment(securecomputerroomwithclimatecontrol,conditionedandbackuppowersupply,etc.)-Hardware(networks,servers,desktopandlaptopcomputers,wirelessdevicesandperipherals)-Connectivitytoaserviceprovider(fiber,cable,wireless,etc.)-Softwareapplications(electronicdatainterchange,electronicmail,enterpriseresourcemanagement,officeproductivity,etc.)-Dataandrestoration9(Source:HLSUS)

ImpactAnalysisTheimpactanalysisshouldidentifytheoperationalandfinancialimpactsresultingfromthedisruptionofbusinessfunctionsandprocesses.Impactstoconsiderinclude:

• Lostsalesandincome• Delayedsalesorincome• Increasedexpenses(e.g.,overtimelabor,outsourcing,expeditingcosts,etc.)• Regulatoryfines• Contractualpenaltiesorlossofcontractualbonuses• Customerdissatisfactionordefection• Delayofnewbusinessplans

incaseofcorporatebusinessesandinsimilarwaysforpublicservices.10

TestingandMaintenanceThedatesoftesting,thedisasterrecoveryscenarios,andplansforeachscenarioshouldbedocumented.Maintenanceinvolvesrecordsofscheduledreviewonadaily,weekly,monthly,quarterly,yearlybasis;reviewsofplans,teams,activities,tasksaccomplishedandcompletedocumentationreviewandupdate.

IncaseofanincidentThesearetherecommendedthreestepsincaseanyincidenthappens,beitahackingattackorothermalevolentcyber-incidents(e.g.ransomwarehittingtheorganization),malfunctioningsoftware-oroperating-system-updatesorfaultyfirmware,BIOSorsoftwarepatches:–Identification–Containment

Page6of7

–Eradication(AgoodexampleofactionsperformedduringtheeradicationphasewouldbeusingtheR&P-providedtoolsetwhichallowsforanindividualrecoveryofeachcompletesystemend-to-end).Professionalservicesclosetheattack-vectors,butatthispoint,itisoftheessencenottolosetimewithforensicoranalyticalwork.Ifnecessary,theR&Ptoolsmayperformcloningofaffectedsystemsforanalyticuselater.

–Recovery(bringaffectedsystemsbackintotheproductionenvironmentcarefully,astoinsurethatitwillnotleadanotherincident.Itisessentialtotest,monitor,andvalidatethesystemsthatarebeingputbackintoproductiontoverifythattheyarenotbeingre-infectedbymalwareorcompromisedbysomeothermeans.)

–LessonsLearnt11(well,thisisthetaskofdocumentationeveryonehates,butitisessentialforfuturereference)

ChecklistThischecklisthelpstomakesureallboxesaretickedincasetheincidenthitsyou:-Stoptheattackinprogress.-Cutofftheattackvector.-Assembletheresponseteam.-Isolateaffectedinstances.-Identifytimelineofattack.-Identifycompromiseddata.-Assessrisktoothersystems.-Assessriskofre-attack.-Applyadditionalmitigations,additionstomonitoring,etc.-Forensicanalysisofcompromisedsystems.-Internalcommunication.-Involvelawenforcement(ifyouarenotlawenforcementyourselves).-Reachouttoexternalpartiesthatmayhavebeenusedasvectorforattack.-Externalcommunication.

GettingridofassumptionsasawinningstrategySummarizing,herearethefivemajorpointstoconsider:1.RepetitiveprobingandrepeatedtestsofITsecuritywilldeliverfactsandfiguresvs.afalsefeelingofsafety2.Generallyspeaking,theleadtimetorecoveryofanyofyourconfigurableitems(CI)isthebestpossiblerecoverytime.Anycompanycanbeoutofbusinessquick,ifincapableofreturningtoanoperationalstate.IfDeutscheBankisnotoperationaloneday,itistheirdoomsday.SecuritytestswilldeliverunpleasantfactsonIT–assetsformerlydeemedsafe.Take20minutestoreturntonormalasagoal.

Page7of7

3.Companieslosecustomersduetovanishedtrustintheircapabilities(e.g.repeatedoutagesorabilitytoadapt.Publicservicessometimeshaveevenmorecriticalusageand

dependonminutes.UsingexperiencesfromR&Ppublicsector/HLSexperiencesisnotabadidea.4.TheshortcutinimplementingdisasterrecoveryistoimplementaproperDRcapabilityalreadyintheearlyplanningphase.5.ThesecondbeststrategyisnottolosetimeoverreviewingexistingITinfrastructureandenhanceitbyapplyingtheR&PMPO-toolset.Roth&Partnershavesignificantexperienceintheabove5topicsandthecapabilitytosupportITexpertsgloballyintheirchallengetoenhanceITsecuritysystems.Youradvantage:Giveusabellatoneofourcentersorwriteamail:

Sources:

1http://resources.sei.cmu.edu/asset_files/TechnicalReport/2004_005_001_14405.pdf2http://www.disasterrecovery.org/3http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf4https://www.ready.gov/business/implementation/IT5http://www.disasterrecovery.org/plan_steps.html6https://www.ready.gov/business/implementation/IT7http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf8http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf9https://www.ready.gov/business/implementation/IT10https://www.ready.gov/business-impact-analysis11https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901